Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Do we need to install same Splunk Apps in all Indexer Cluster servers?

meoo
Explorer
‎05-14-2018 05:17 AM

Hi

We are planning to have indexer cluster environment.

For testing, we currently have single indexer which has all of our application like "Splunk Addon for AWS" and others installed and all data is arriving as expected.

I wanted to know, if we go for cluster environment where we have master node and multiple indexer node, in such case, do I need to install all the apps in all the indexers servers ? For example, do I need to install "Splunk Addon for AWS" app in all the indexers ?

0 Karma
Reply

woodcock
Esteemed Legend
‎10-12-2019 11:13 PM

Yes. You put the apps on the Cluster Master and then push them to the Indexers.

0 Karma
Reply

ololdach
Builder
‎10-11-2019 03:07 AM

Simply put: Yes. All cluster members must have the same configurations that are being deployed through the cluster-master. Please refer to the Cluster-Management Class and the documentation.

In regards to other comments about duplicating data if an app resides on multiple indexers: The only configuration item that influences the redundancy of data is the replication factor that has been defined for the index. Data will only be indexed twice, if some app contains inputs.conf settings that lead to ingesting data in duplicates. Hence the best practice for distributed environments is to keep all inputs.conf separated from the original app and deploy them through the deployment server to forwarders. As a general rule of thumb: only forwarders should have any inputs.conf files in their ./etc tree... unless the special use case calls for an exception. Alternatively the inputs.conf stanzas can be disabled everywhere other than inside the ./etc/deploment-apps/ subdir on the deployment server.

0 Karma
Reply

althomas
Communicator
‎05-14-2018 06:14 AM

Yes, you should have all the same apps on all the cluster peers.

For the Splunk Addon for AWS, I would get a separate heavyweight forwarder to send the data to the indexer cluster. This will also cause less strain on the indexer cluster.

Reply

althomas
Communicator
‎05-15-2018 01:08 AM

In response to your other question, if you put the same app on all five servers and configure it for all five servers, you will duplicate your data 5x. This is why you should use a separate heavy forwarder to send data to the cluster, as you only have one set of data being pulled into your system. This introduces a single point of failure, but you can copy over the configuration to another heavy forwarder and disable the inputs.

0 Karma
Reply

brettcave
Builder
‎10-11-2019 01:49 AM

assuming the app is installed on the HF to collect data and send it to the indexer cluster, and the app is also installed on all the indexers for setting up stuff like props / transforms / indexes (specifically at least the indexes.conf).

Or is it better to install the AWS app on a HF and manually configure awsindex through something like etc/system/local/indexes? Would imagine "install aws app on all nodes" is a better approach?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...